House Looks to Beef Up Cyber Security

WASHINGTON (CN) – The First Lady’s recent hacking scare made it a congressional priority Wednesday to work on curbing the nation’s growing cybersecurity problems. The House Subcommittee on Crime, Terrorism, Homeland Security and Investigations discussed the matter for its first hearing of the 113th Congress, just days after unknown cyber thieves allegedly scored private financial data on Michelle Obama, Vice President Joe Biden, Attorney General Eric Holder, Mitt Romney, Arnold Schwarzenegger, Tiger Woods and more. Some took little comfort in acknowledgement from President Barack Obama yesterday that the Chinese government is behind the growing cyberattacks on U.S. firms and infrastructure. “I want the president to do a little more than tell Beijing that it needs to be tougher on cybercrime,” Subcommittee Chairman Jim Sensenbrenner, R-Wis., said. The hearing’s debate bounced from beefing up the Computer Fraud and Abuse Act (CFAA), which has already been amended eight times, to giving law enforcement better tools to go after hackers no matter what their country of origin, to improving how the United States protects the privacy of citizen communication. Rep. John Conyers, D-Mich., reintroduced the same bill he introduced in 2012, the Cyber Privacy Fortification Act, which he says creates a strong standard for data breach notification. “Cyberattacks have increased according to the NSA by 44 percent and many of these attacks are perpetrated by criminals operating beyond our national boundaries intent on stealing our intellectual property and compromising our infrastructure,” Conyers said. “We’ve got a problem here. We need collaboration between the government and the private sector, but not at the expense of the privacy of innocent citizens.” Robert Holleyman, president of BSA/The Software Alliance, testified that McAfee, a BSA-member company, identifies one new piece of malware every second and that its “Fort Detrick-like vault” of dangerous digital viruses contains more than 100 million specimens. “This is a race,” Holleyman said. U.S. Attorney Jenny Durkan, who covers the Western District of Washington where Microsoft and Boeing conduct business, added in her testimony that “few things are more sobering as the daily cyber threat briefings I receive. Unfortunately, the good guys are not the only innovators.” She discussed how cyber thieves are shifting from targeting credit cards and other personal data to swiping the intellectual capital of large corporations, including trade secrets and product-planning documents. The threat extends from outside hackers to corporate and government insiders funneling information to foreign nation states. “Addressing these complex threats requires a unified approach, one that incorporates criminal investigative and prosecutorial tools, civil and national security authorities, diplomatic tools, public-private partnerships, and international cooperation,” Durken said. “Criminal prosecution, whether in the United States or a partner country, plays a central and critical role in this collaborative effort. While prosecution is not the appropriate approach for every threat that affects the United States, identifying and understanding the threat will very often involve the use of criminal investigative tools and methods.” Democrats seemed wary of giving law enforcement too much power to prosecute cybercrime. Ranking Democrat Bobby Scott of Virginia cited his concern that the CFAA creates an environment where everyday Internet activity is just as illegal as a foreign hacker swiping corporate data. George Washington University law professor Orin Kerr echoed his concerns, stating, “Congress should act to narrow the statutory language so we’re not concerned with people violating terms of service or checking their Facebook pages on company time.” Emphasizing “the dangers of legalizing terms of service violations,” Rep. Sensenbrenner warned that this could limit the ability of law enforcement to pursu cybercriminals. Kerr replied: “Those terms are not designed to carry the weight of criminal liability.” There was no mention at the hearing of the “Aaron’s Law” bill that Rep. Zoe Lofgren, D-Calif., introduced earlier this year after the suicide of Reddit.com co-founder Aaron Swartz. The 26-year-old Swartz had been facing more than 30 years in prison and $1 million in fines after he was indicted for several felony CFAA violations related to his download of more than 4 million academic articles from the scholarly database Jstor. If passed years ago, Aaron’s Law would have eliminated the serious charges Swartz faced. Other ideas on how to reform CFAA that did make it to the meeting included a call from Rep. Louie Gohmert, R-Texas, to legalize “hacking back.” Gohmert cited a story in which someone installed malware on their own computer so that when they were hacked, the hacker’s computer became infected and a picture of the hacker was sent to the victim. Under current CFAA regulations, “hack backs” are illegal. The panel of witnesses offered little advice over the brief, two-hour hearing on what specific legislation can help in the cyber race against foreign states and hackers, but most witnesses and legislators agreed that added emphasis on diplomacy and foreign cooperation is needed to track down and extradite hackers. Sensenbrenner ended the hearing abruptly, stating that the Republicans were headed to “listen to the president talk,” presumably about sequester-related budget cuts. Only one sequester-related question was posed to a witness at the hearing. Rep. Scott asked Deputy Assistant FBI Director John Boles how the sequester could affect the FBI’s cyber division, but Boles’ microphone malfunctioned before he could answer. When the problem was fixed, he said that the FBI will continue to work on developing innovative techniques to combat cybercrime.